First, NIST 800 are policy directives on how to set up and secure one of the largest IT environments in the country. The special publications in most cases represent the best practices for keeping an IT environment safe and secure. While not necessarily all publications are applicable to all organizations, many organizations model their own IT security on information from NIST 800. Second, companies seeking to contract for the federal government need a degree of compliance with NIST 800. In particular, NIST Special Publication 800-171, Protecting Controlled Unclassified Information(“CUI”) in Nonfederal Information Systems and Organizations spells out compliance requirements for current and prospective contractors.
According to Special Publication 800-171 “The CUI Program is designed to address several deficiencies in managing and protecting unclassified information to include inconsistent markings, inadequate safeguarding, and needless restrictions, both by standardizing procedures and by providing common definitions through a CUI registry” (Page 1). It is under that registry that ETTE works to provide companies the particular requirements and baselines to acquire and maintain compliance.NIST understand that companies might have a hard time having a full, comprehensive infrastructure that would compare to federal environment. This is why, “If nonfederal organizations entrusted with protecting CUI designate specific information systems or system components for the processing, storage, or transmission of CUI, then the organizations may limit the scope of the CUI security requirements to those particular systems or components.” (Page 2).Instead of creating an entire network under NIST regulation, ETTE can develop and partition a highly secured subnetwork. This subnetwork is also a more cost-effective solution for small and medium organizations to perform federal related services or tasks.
The CUI programs have 3 fundamental security requirements that have to be met in any circumstance:“Statutory and regulatory requirements for the protection of CUI are consistent, whether such information resides in federal information systems or nonfederal information systems including the environments in which those systems operate;Safeguards implemented to protect CUI are consistent in both federal and nonfederal information systems and organizations; andThe confidentiality impact value for CUI is no lower than moderate in accordance with Federal Information Processing Standards (FIPS) Publication 199.” (Page 5)
ETTE understands the unique security and compliance ecosystem that many of our customers live in. We want your business to comply with any regulation it needs to. For this, we follow NIST Special Publication 800-171 regulations to make sure your IT environment is fully compliant.CUI’s security system is divided into fourteen categories, (referred to as “Families”) described in Chapter Three of Special Publication 800-171:
For a basic typical CUI Secured environment, ETTE provides an affordable package of the following services to address and provide compliance for the fourteen families:
To ensure CUI security compliance, the best practice calls for an IT Security Plan. In many instances, such a plan is REQUIRED to do business with the Federal government or act as a subcontractor to larger contracting organizations. ETTE can help your organization develop a compliant IT security plan. We conduct the initial development of the IT Security Plan consultative; following the security regulations for your particular industry. The plan also takes into consideration your organization’s size current system and budget. The plan will provide a clear indication of how each element of the plan addresses one or more of the fourteen families required for CUI compliance. The initial plan development is an affordable billable project, while ongoing maintenance of the plan is included as part of the compliance solution.
The National Institute of Standards and Technology (NIST) is the US Government Agency charged with setting the IT standards for the Civilian Government. The number “800” refers to a series of Special Publications that set the federal government security policies procedures and guidelines.